EU Solidarity Clause and ‘Cyber Disaster’

European Union Member States are ready to assist each other in case of a cyber attack amounting to a ‘man-made disaster’.

In June 2014, the European Union Council adopted a decision on the implementation of the ‘solidarity clause’ that obliges the Union and the Member States to act jointly if a Member State is the object of a terrorist attack or the victim of a natural or man-made disaster.

Cyber attacks may trigger the ‘solidarity clause’

Perhaps one of the strongest messages of the European Union (EU) Cyber Security Strategy addresses EU support to Member States in case of a major cyber incident or attack. The strategy outlines possible responses to different types of cyber incidents, such as those impacting business continuity or personal data, cybercrime, cyber espionage, and others. According to the strategy, in the case of a state-sponsored attack or attacks affecting national security, the national security and defence authorities should alert their relevant counterparts, so that they can defend themselves; also, early warning mechanisms and crisis management procedures should be activated.

Importantly, the strategy states that ‘a particularly serious cyber incident or attack could constitute sufficient ground for a Member State to invoke the EU Solidarity Clause (Article 222 of the EU-Treaty on the Functioning of the European Union (TFEU)).’ TFEU Article 222 requires that ‘the Union and its Member States shall act jointly in a spirit of solidarity if a Member State is the object of a terrorist attack or the victim of a natural or man-made disaster.’ If such an incident occurs, the EU shall mobilise all the instruments at its disposal, including military resources made available by the Member States, to ‘prevent the terrorist threat in the territory of the Member States’ or to ‘assist a Member State in its territory /…/ in the event of a natural or man-made disaster.’ Any such assistance may only take place at the request of the Member State’s political authorities.

Differences and similarities of the ‘solidarity’ and ‘mutual defence’ clauses

The principle of solidarity as found in Article 222 of the TFEU should not be confused with the so-called ‘mutual defence clause’ of Article 42(7) of the Treaty on European Union (TEU)1 , which obligates Member States to aid and assist another Member State that has been the victim of armed aggression on its territory. The latter is very similar to the Article 5 of the North Atlantic Treaty and its ‘collective defence’ principle; and both of the clauses could also apply in a cyber incident rising to the threshold of an ‘armed attack’ or ‘armed aggression’. As such, the NATO and EU clauses are not contradictory; rather, they complement each other. This is also expressed in TEU Article 42(7) itself, which adds: ‘Commitments and cooperation in this area shall be consistent with commitments under the North Atlantic Treaty Organisation, which, for those States which are members of it, remains the foundation of their collective defence and the forum for its implementation.’

Whereas the TEU mutual defence clause focuses on the obligations of the Member States (and not the EU itself),2 the TFEU solidarity clause provides for the Union and its Member States to act jointly. Also, the activation of the mutual defence clause does not require political coordination at the EU level, as is foreseen in the solidarity clause. However, in addition to these differences, there are also enough similarities between the two clauses to lead some authors to ask why TEU Article 222 and TFEU Article 42 are separated instead of being incorporated into one clause.3 For example, as put forward by Sara Myrdal and Mark Rhinard, both of the clauses introduce binding commitments amongst Member States and both prescribe grounds for drawing on ‘all available means’ when requested. Furthermore, there are theoretical possibilities that both clauses could be triggered together, particularly in cases when a ‘threat agent’ is unclear.4

EU is shedding light on the ‘solidarity clause’

In order to make the solidarity clause less laconic than its present form in TFEU Article 222 and to respond to the numerous questions regarding its scope, the range of threats included, and its implementation, in June 2014 the Council adopted a decision on the rules and procedures for the implementation of the solidarity clause.

The decision further outlines the EU’s role and underlines the need and options for close cooperation of all relevant actors at the Member State and EU level. The decision states that ‘in the event of a disaster or terrorist attack, the affected Member State may invoke the solidarity clause if, after having exploited the possibilities offered by existing means and tools at national and Union level, it considers that the crisis clearly overwhelms the response capabilities available to it.’ [Article 4(1)]. In response to a Member State’s request, the Commission and the High Representative, assisted by the European External Action Service, will identify all Union instruments and capabilities (including sector-specific, operational, policy or financial instruments, military capabilities, and any proposed other options) that can best contribute to the response to the crisis, and will take all the necessary measures under their competence (Article 5).

‘Cyber disaster’?

The decision also makes an effort to explain the scope of the threats covered under the TFEU, Article 222. Accordingly, ‘disaster’ in the context of Article 222, means ‘any situation which has or may have a severe impact on people, the environment or property, including cultural heritage’. Therefore, the EU has chosen not to narrow the scope of the applicability of the Article but, instead, to keep it relatively wide, and ready to be used in any type of an incident having a ‘severe impact’.

It is noteworthy that the ‘severe impact’ requirement does not seem to be necessarily tied to physical or financial damage. Hence, according to the proposed definition, a sophisticated and long-lasting Distributed Denial of Service attack against the private and public networks of a country that is heavily dependent on e-services in its everyday life, which results in severe impact on people, such as blocking their access to public information, denying access to the e-services provided by the State or affected private entities, hindering overall communication and in other ways interfering with the lives of the whole population, could be considered as having a ‘severe impact’, and thus being a cyber ‘disaster’. Unless clarified further in EU documents, the currently vaguely-defined threshold of the cyber ‘disaster’ would become more precise only by interpretations reflected in state practice in invoking the solidarity clause and by EU precedents in assisting a requesting State.

Decision will be periodically reviewed

In admitting the need to shape the decision according to identified needs and lessons learned in the future, the June 2014 instrument will be reviewed periodically in the Council on the basis of a joint report prepared by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy (Article 9).

Anna-Maria Osula

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.

S. Blockmans and R.A. Wessel, ‘The European Union and Crisis Management: Will the Lisbon Treaty make the EU more Effective?’(2009) Journal of Conflict & Security Law p.301. [↩]

Sara Myrdal, Mark Rhinard, ‘The European Union’s Solidarity Clause: Empty Letter or Effective Tool? An Analysis of Article 222 of the Treaty on the Functioning of the European Union’, Occasional UI Papers 2010 no 2, available at: http://www.ui.se/upl/files/44241.pdf [↩]